Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: a8541f866cac72ada61072660e9ca678c6295e94
      
https://github.com/WebKit/WebKit/commit/a8541f866cac72ada61072660e9ca678c6295e94
  Author: Adrian Taylor <[email protected]>
  Date:   2026-07-15 (Wed, 15 Jul 2026)

  Changed paths:
    M Source/WTF/WTF.xcodeproj/project.pbxproj
    A Source/WTF/wtf/BorrowedBytes.h
    M Source/WTF/wtf/CMakeLists.txt
    M Source/WTF/wtf/module.modulemap
    M Source/WebCore/PAL/PAL.xcodeproj/project.pbxproj
    M Source/WebCore/PAL/pal/CMakeLists.txt
    M Source/WebCore/PAL/pal/crypto/CryptoAlgorithmAESGCMCocoa.cpp
    M Source/WebCore/PAL/pal/crypto/CryptoAlgorithmAESKWCocoaBridging.cpp
    M Source/WebCore/PAL/pal/crypto/CryptoAlgorithmEd25519CocoaBridging.cpp
    M Source/WebCore/PAL/pal/crypto/CryptoAlgorithmHKDFCocoaBridging.cpp
    M Source/WebCore/PAL/pal/crypto/CryptoAlgorithmHMACCocoaBridging.cpp
    M Source/WebCore/PAL/pal/crypto/CryptoAlgorithmX25519CocoaBridging.cpp
    M Source/WebCore/PAL/pal/crypto/CryptoEDKeyBridging.cpp
    R Source/WebCore/PAL/pal/crypto/CryptoKit+UnsafeOverlays.swift
    M Source/WebCore/PAL/pal/crypto/CryptoKitShim.swift
    M Source/WebCore/PAL/pal/crypto/CryptoTypes.h
    R Source/WebCore/PAL/pal/crypto/CryptoTypes.swift
    M Source/WebCore/PAL/pal/crypto/PlatformECKey.cpp
    A Source/WebCore/PAL/pal/crypto/WTFExtras.swift
    M Source/WebCore/PAL/pal/crypto/commoncrypto/CryptoDigestCommonCrypto.cpp
    M Tools/TestWebKitAPI/CMakeLists.txt
    M Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj
    A Tools/TestWebKitAPI/Tests/WTF/BorrowedBytes.cpp

  Log Message:
  -----------
  [Swift] Add BorrowedBytes and use from PAL
https://bugs.webkit.org/show_bug.cgi?id=318675
rdar://164560176

Reviewed by Ryosuke Niwa.

PAL has some code to interface with platform Swift crypto APIs marked with a
crucial FIXME showing that a large number of 'unsafe' statements need to be
removed. Those statements genuinely show a risk that present or future mistakes
in Swift or C++ code could have resulted in exploitable memory safety bugs.

This change adds suitable new primitives to allow buffers of bytes to be passed
safely across the C++/Swift boundary. It aims to do this with no extra
copying beyond the pre-existing state, so it should be performance-neutral.

This change adheres to the principle that we may need carefully human-reviewed
`unsafe` statements within WTF, in order to allow higher layers of the stack
to be entirely free of `unsafe`.

Specifically, we:
- introduce a Swift initializer for WTF::Vector<uint8_t> which can
  construct such a vector from any Swift ContiguousBytes
- introduce a BorrowedBytes type which is a borrow of some C++ bytes
  and in Swift complies with ContiguousBytes, thus can be passed to
  the crypto APIs as-is. This new type achieves memory safety by
  communicating with a couple of different BorrowScope types in C++ which
  mark the allowable lifetime of the use of the bytes. If the
  borrow scope is destroyed while Swift may still want to use the bytes,
  a clean runtime crash will occur rather than an exploitable bug.
- adapt PAL to use these, removing all 'unsafe' statements from PAL's
  Swift code.
- add a test for BorrowedBytes.

If the bytes are being borrowed from a Vector, this mechanism interacts
with the existing CanBorrow mechanism, so this should guard against
reallocations or resizes of the vector as well as destruction of the
vector overall. This result required an additional change to WTF::Vector,
raised as https://github.com/WebKit/WebKit/pull/68737.

At present, WTF cannot support Swift, for reasons explained in the following
bugs. The WTF Swift code is therefore temporarily alongside the crypto
code in PAL in a file called WTFExtras.swift.
https://bugs.webkit.org/show_bug.cgi?id=315629
rdar://178003865

Test: Tools/TestWebKitAPI/Tests/WTF/BorrowedBytes.cpp

* Source/WTF/WTF.xcodeproj/project.pbxproj:
* Source/WTF/wtf/BorrowedBytes.h: Added.
(WTF::BorrowedBytes::size const):
(WTF::BorrowedBytes::ref const):
(WTF::BorrowedBytes::deref const):
(WTF::BorrowedBytes::create):
(WTF::BorrowedBytes::BorrowedBytes):
(WTF::BorrowedBytes::revoke):
(WTF::BorrowedBytesScopeBase::BorrowedBytesScopeBase):
(WTF::BorrowedBytesScopeBase::~BorrowedBytesScopeBase):
* Source/WTF/wtf/CMakeLists.txt:
* Source/WTF/wtf/module.modulemap:
* Source/WebCore/PAL/PAL.xcodeproj/project.pbxproj:
* Source/WebCore/PAL/pal/CMakeLists.txt:
* Source/WebCore/PAL/pal/crypto/CryptoAlgorithmAESGCMCocoa.cpp:
(PAL::Crypto::encryptCryptoKitAESGCM):
* Source/WebCore/PAL/pal/crypto/CryptoAlgorithmAESKWCocoaBridging.cpp:
(PAL::Crypto::wrapKeyAESKWCryptoKit):
(PAL::Crypto::unwrapKeyAESKWCryptoKit):
* Source/WebCore/PAL/pal/crypto/CryptoAlgorithmEd25519CocoaBridging.cpp:
(PAL::Crypto::signEd25519CryptoKit):
(PAL::Crypto::verifyEd25519CryptoKit):
* Source/WebCore/PAL/pal/crypto/CryptoAlgorithmHKDFCocoaBridging.cpp:
(PAL::Crypto::deriveBitsHKDFCryptoKit):
* Source/WebCore/PAL/pal/crypto/CryptoAlgorithmHMACCocoaBridging.cpp:
(PAL::Crypto::signHMACCryptoKit):
(PAL::Crypto::verifyHMACCryptoKit):
* Source/WebCore/PAL/pal/crypto/CryptoAlgorithmX25519CocoaBridging.cpp:
(PAL::Crypto::deriveBitsX25519CryptoKit):
* Source/WebCore/PAL/pal/crypto/CryptoEDKeyBridging.cpp:
(PAL::Crypto::EdKey::privateToPublic):
(PAL::Crypto::EdKey::privateToPublicKeyAgreement):
(PAL::Crypto::EdKey::validateKeyPair):
(PAL::Crypto::EdKey::validateKeyPairKeyAgreement):
* Source/WebCore/PAL/pal/crypto/CryptoKit+UnsafeOverlays.swift: Removed.
* Source/WebCore/PAL/pal/crypto/CryptoKitShim.swift:
(Digest.update(_:)):
(Digest.finalize):
(Digest.sha1(_:)):
(Digest.sha256(_:)):
(Digest.sha384(_:)):
(Digest.sha512(_:)):
(ECKey.importX963Pub(_:curve:)):
(ECKey.exportX963Pub):
(ECKey.importCompressedPub(_:curve:)):
(ECKey.importX963Private(_:curve:)):
(ECKey.exportX963Private):
(ECKey.deriveBits(_:)):
(EdKey.generatePrivateKey(_:)):
(EdKey.generatePrivateKeyKeyAgreement(_:)):
(WTF.requireNonEmpty):
(Curve25519.signature(_:)):
(Curve25519.isValidSignature(_:data:)):
(Curve25519.sharedSecretFromKeyAgreement(_:)):
* Source/WebCore/PAL/pal/crypto/CryptoTypes.h:
* Source/WebCore/PAL/pal/crypto/CryptoTypes.swift: Removed.
* Source/WebCore/PAL/pal/crypto/PlatformECKey.cpp:
(PAL::Crypto::PlatformECKey::sign const):
(PAL::Crypto::PlatformECKey::doVerify const):
(PAL::Crypto::PlatformECKey::importX963Pub):
(PAL::Crypto::PlatformECKey::importX963Private):
(PAL::Crypto::PlatformECKey::importCompressedPub):
* Source/WebCore/PAL/pal/crypto/WTFExtras.swift: Added.
(WTF.startIndex):
(WTF.endIndex):
(WTF.regions):
(NonNullBytes.placeholder):
(NonNullBytes.regions):
(NonNullBytes.startIndex):
(NonNullBytes.endIndex):
(WTF.asNonNullBytes):
(makeVectorUInt8(copying:)):
* Source/WebCore/PAL/pal/crypto/commoncrypto/CryptoDigestCommonCrypto.cpp:
(PAL::Crypto::CryptoDigest::addBytes):
* Tools/TestWebKitAPI/CMakeLists.txt:
* Tools/TestWebKitAPI/TestWebKitAPI.xcodeproj/project.pbxproj:
* Tools/TestWebKitAPI/Tests/WTF/BorrowedBytes.cpp: Added.
(TestWebKitAPI::TEST(WTF_BorrowedBytes, SpanScopeExposesBytes)):
(TestWebKitAPI::TEST(WTF_BorrowedBytes, SpanScopeOverSubspan)):
(TestWebKitAPI::TEST(WTF_BorrowedBytes, VectorScopeExposesBytes)):
(TestWebKitAPI::TEST(WTF_BorrowedBytes, EmptySpan)):
(TestWebKitAPI::TEST(WTF_BorrowedBytes, EmptyVector)):
(TestWebKitAPI::TEST(WTF_BorrowedBytes, ScopeHoldsSoleReference)):
(TestWebKitAPI::TEST(WTF_BorrowedBytes, NestedVectorScopes)):
(TestWebKitAPI::TEST(WTF_BorrowedBytesDeathTest, 
MAYBE_ASSERT_ENABLED_DEATH_TEST(StashedViewCrashesAtScopeEnd)):

Canonical link: https://commits.webkit.org/317262@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to